Downloads

UPDATE: I've stoped development on sa-user-admin in favor of a new project that
combines the features of sa-user-admin with simple end-user account management, such as
changing their password, forwarding email or setting up an out-of-office/vacation
auto responder. It is currently undergoing alpha testing (12/02), and I hope to have a
public beta soon.

NOTE: The seekable patch is not longer needed for vpopmail
as of 5.3.7, thanks to Bill Shupp!

Vpopmail seekable patch- this is a
diff against the 5.1.4 development version. It is also been
tested against 5.1.6 and 5.1.7, but it is unknown if it will work with
other versions.seekable-5.1.4.diff

Vpopmail 5.2 seekable patch- this is just a mirrored
from www.thesafebox.com. I'll make the
same warning that Marcus does: WARNING: This is completely untested
but it does compile. I will also say that it does work on my system. I've
also included this patch in the tarball for
sa-useradmin-0.3, so if you grab that,
you don't need to grab this as well.seekable-5.2.diff

This is a diff that I've submitted to Ken Jones
to clean up some of the zone file and named.conf parsing in
dnsadmin, and store some of the options from named.conf in the
mysql database as well. This is against the 0.4 release of
dnsadmin, and I believe that Ken will be adding some things to
it, and make a 0.5 release sometime soon.dlw-dnsadmin-0.4.diff

qmail

I've been doing a lot of work lately with qmail and vpopmail in an
Enterprise setting. So far, I've built two qmail clusters as well
as a number of qmail + vpopmail installations. Like most hard core
geeks, I've come up with my own list of prefered patches to qmail.
You can find my latest list, along with a combined diff of all of them over
on the CTS qmail
webpage.

Hi there....welcome to my little part of the web. This is
where I'm going to experiment with CSS, talk about some of my
hobbies and put up some of the code I'm working on. I'm one of
the owners of a website hosting company. I work on all things Technical
there, and I even sometimes get to play with neat toys doing it!

I'm going to try doing this page in all CSS, including layout.
No font tags, no tables to structure the page. Just div tags
wrapped around things to handle the positioning. Weee! It
promises to be fun. I'm glad I've got "Cascading Style Sheets:
The Definitive Guide" from O'Reilly on my shelf. I don't think I
could survive in this business without my collection of titles
from O'Reilly. If you're looking for a good book on a technical
subject, and O'Reilly publishes one, stop looking and buy it :).
Of course, if you're reading this and you're using NS 4.x, it
doesn't look as good as more modern browser 'cause of the way
that NS 4.x parses style sheets. But I did get NS 4.x to do the
basic positioning. Not the way I'd really like it to look, but it
has the same basic structure and layout, it's just not as pretty.
Bite me, NS4!!

For fun, I do historical reenactment. I belong to a group
called The Society for Creative
Anachronism (SCA). I was the Chief Information Architect
for the SCA, responsible for the
corporate web page, as well as developing a number of internet related
projects. The first one to be completed was the
On-line Marketplace, and it's doing great!

In my copious free time, I hack on various things to make my
life as a system administrator easy. For starters, we use the Apache web server. For
e-mail, we use qmail, which I
think is a much better choice than sendmail. Then, to make things
simple for virtual domains, we use vpopmail and qmailadmin. I've
started to hack on dnsadmin (from the
same guys that brought us vpopmail and qmailadmin!) for dns
administration. And these days, you can't offer e-mail services
without offering a web based mail reader, so sqwebmail to the
rescue!

Lately, viruses have been getting a lot of press, so I'm
currently doing an evaluation of RAV Antivirus, which
actually does the scanning at the mail server level, before it
even gets into the users mailbox. So far, I'm pretty impressed
with it, the pricing is reasonable. Worth checking out.

And what mail admin's life wouldn't be complete with out a
healthy dose of spam? Well, as the postmaster, I get a lot of
spam. I've been looking for a solution for years. The various
RBL's only stop so much. Well, in my surfing and reading of
mailing lists, I found SpamAssassin, and I have
to say, it rocks! SpamAssassin doesn't block spam per se
(although I believe it can work with other tools to bounce mail
under some circumstances), but it does look at the messages, and
applies a bunch of rules (details on the SpamAssassin webpage) and
"scores" the e-mail If the score reaches a configurable level,
then it is tagged as potential spam. It supports white lists, so
if e-mail from friends and family are coming up with a high
score, you can tell SA not to check their mail. It also has a
black list, so you can always tag something as
spam. SA can also store user preferences in an SQL backend (like
MySQL), which makes it
possible to make it very convenient for users to control their
individual settings. There is a PHP user admin interface
available that is pretty good, but I didn't like my
authentication options. I wanted to not only authenticate against
the system user files (/etc/passwd and /etc/shadow), but
vpopmail's as well, so there wasn't a separate password required.
So, SA-user-admin was born. I just finished up some modifications to it, as well
as incorporating a user patch I was sent, so it now supports version 2.x of
Spam Assassin. It should be considered beta code - but it works on my server :-D.
There's a link to the tar file on the left, along with some other
useful tidbits, like the seekable patch for vpopmail (needed if
you want to use SA with vpopmail).

UPDATE: I've stoped development on sa-user-admin in favor of a new project that
combines the features of sa-user-admin with simple end-user account management, such as
changing their password, forwarding email or setting up an out-of-office/vacation
auto responder. It is currently undergoing alpha testing (12/02), and I hope to have a
public beta soon.

I just finished playing around with pop and imap over ssl,
using courier-imap. Overall, I'd have to say it's pretty easy,
especially if you have openssl installed. The only real gotcha is
if you're using the self-signed pop and imap certificates that
courier-imap generates, your Outlook Express users are going to
get a warning about the certificate the every time they start OE
and check mail for the first time. The warning (at least in OE 6)
looks like this. I believe OE5 and OE5.5 are similar.

I've also
just found out (01/20/2002) that this will also work with the TLS/SSL
patch to qmail (either directly, Bill Shupp's qmail-toaster patch,
or my mega-qmail patch). You can either sym-link the control/servercert.pem
to either the imap or pop certificate from courier-imap (if the hostname
is the same) or generate a new certificate (if the hostname is different). The
certificate needs to be owned by qmaild:qmail. This isn't a problem if your
running courier-imap and/or courier-pop3d as root. If you're running it as a
different user, you may need to copy the certifcate into control/, or see if
you can run courier-imap/pop3d as qmaild:qmail. I haven't tested this with
a copy of qmail that hasn't been patched with one of the outgoing-ip patches
that are available. If you're not running one of these, you may get a
hostname mis-match error from your MTA. Thanks to my buddy Josh for pointing me
in the right direction and helping me debug the procedure!

The commands listed here are extracted from The Open-source PKI
Book. If you wish to know more about PKI in general, it
is the definitive reference. For these steps, you'll need openssl
installed. First, we need a workspace that should only be
accessible by root. I used /root/CA, but any location will do.
Next, generate an RSA key pair:

This will create an 2048 bit RSA key, stored in
ca.key. Now, you need to create a self-signed CA
Certificate:

# openssl req -new -x509 -days 3652 -key ca.key -out
ca.crt

You'll see the following after executing this command:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: enter your password for the key
here
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name)
[Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:WebMasters,
Inc.
Email Address []:certs@webmast.com

This will create a self-signed certificate called ca.crt valid
for 10 years. The file names (ca.key and
ca.crt) are important, as the sign.sh
shell script that comes with mod_ssl looks for these specific
file names. That's it, you're now have a root certificate ready
to be used to sign other certificates or to be installed in a
browser!

Ok, now that you've created a self-signed CA certificate, it's
time to generate the certificate(s) for your pop and imap
servers. The number of certificates you need depends on how many
host names you are using. If you use the same host name (i.e.,
mail.example.com) then you only need a single
certificate. Basicly, you need a certificate for each unique host
name. The instructions are the same for each. The only difference
is the Common Name, and possibly Organizational Unit Name. Let's
get started!

# openssl genrsa -out pop3d.key 2048

This will create a 2048-bit RSA key that doesn't require you
to enter the password when the pop3d-ssl or imapd-sll server
starts. The output from this command is very similar to when you
created the key for the CA, except you won't be prompted for a
password.

Now that you have a key, let's generate a Certificate Signing
Request (CSR)

# openssl req -new -key pop3d.key -out pop3d.csr

Using configuration from /usr/lib/ssl/openssl.cnf
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name)
[Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:WMI pop-3 mail
server
Common Name (eg, YOUR name)
[]:pop3.webmast.com
Email Address []:postmaster@webmast.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now you need to create the pem file in the format that
courier-imap wants. First, you'll need to edit the pop3d.crt
created when you signed the csr. The sign.sh script includes a
human-readable description of the key. We want to delete all
those lines, and only have:

We're almost done now! The next two steps are IE/OE specific.
Other browser and mail program combinations will be added as I
have the time to install and test them. This has been tested on
IE5.5 and IE6, but IE4 and IE5 should be similar. Move a copy of
your ca.crt file to somewhere in websites document
root. Create a link to this file on a page in your website
explaining the benefits of pop or imap over ssl to your users.
When your user clicks on the link, your root certificate will be
downloaded. When prompted to save or open the file, tell your
users to open it. This should bring up the IE Certificate
Information window. Click on 'Import Certificate'. This will then
start the 'Certificate Manager Import Wizard'. Accept the
defaults, and you will then be prompted for confirmation at the
end that you want to add this certificate to the 'Root Store'.
This is where we want it. If your CA certificate is not in IE's
'Root Store', OE will continue to give that warning everytime you
start it up. That's it, your root certificate is now installed in
your users MS certificate manager, which is used by both IE and
OE.

Hey, you've made it to the final step! This one is pretty easy.
In OE, Click on Tools -> Accounts, select the account
you will be using to get your mail with, click on
Properties, then the Advanced tab. Check
This server requires a secure connection (SSL). Close
the properites window, and then the account list. That's it,
you're now setup to use SSL for your pop or imap connection, and
your users won't get that security warning at all!

Netscape 4.7.x is pretty much the same. Go to the link for the
root certificate. The certificate import window will open. Click
'Next' three times, then check at least 'Accept this Certificate
Authority for Certifying e-mail users', Click 'Next' two more
times, enter the name of your CA, then click 'Finish'. But, it's
pretty much a moot point, 'cause I wasn't able to get IMAP over
SSL to work with NS 4.7.x Messenger, and it doesn't even look
like it supports POP over SSL.

I just tested the certificate import in Netscape 6.2 and
Mozilla 0.9.7 (BuildID: 2001122106), and it pretty much works the
same as IE. Click on the link, and the following dialog box comes
up:

Just check at least 'Trust this CA to identify email users',
and then click the 'Ok' button. For Netscape/Mozilla mail, go
into the account settings, expand the account you want to use SSL
with, click on 'Server Settings' and check 'Use secure connection
(SSL)'. That's it!